Difference between revisions of "Software access point"

From ArchWiki
Jump to: navigation, search
m
(create_ap: note for autostart)
 
(91 intermediate revisions by 33 users not shown)
Line 1: Line 1:
[[ru:Software Access Point]]
+
[[Category:Wireless networking]]
[[Category:Wireless Networking]]
+
[[ja:ソフトウェアアクセスポイント]]
{{Article summary start}}
+
[[ru:Software access point]]
{{Article summary text|Basic setup of wifi access point.}}
+
[[zh-hans:Software access point]]
{{Article summary heading|Related}}
+
{{Related articles start}}
{{Article summary wiki|Network Configuration}}
+
{{Related|Network configuration}}
{{Article summary wiki|Wireless Setup}}
+
{{Related|Wireless network configuration}}
{{Article summary wiki|Ad-hoc networking}}
+
{{Related|Ad-hoc networking}}
{{Article summary wiki|Internet Sharing}}
+
{{Related|Internet sharing}}
{{Article summary end}}
+
{{Related articles end}}
A software access point is used when you want your computer to act as an wifi access point for the local wireless network. It saves you the trouble of getting a separate wireless router.
+
A software access point, also called virtual router or virtual Wi-Fi, enables a computer to turn its wireless interface into a Wi-Fi access point. It saves the trouble of getting a separate wireless router.
  
 
== Requirements ==
 
== Requirements ==
  
* A nl80211 compatible wireless device (e.g. ath9k)
+
=== Wi-Fi device must support AP mode ===
  
== Overview ==
+
You need a [http://wireless.kernel.org/en/developers/Documentation/nl80211 nl80211] compatible wireless device, which supports the AP [http://wireless.kernel.org/en/users/Documentation/modes operating mode]. This can be verified by running {{ic|iw list}} command, under the {{ic|Supported interface modes}} block there should be {{ic|AP}} listed:
 +
 
 +
{{hc|$ iw list|
 +
Wiphy phy1
 +
...
 +
Supported interface modes:
 +
* IBSS
 +
* managed
 +
* '''AP'''
 +
* AP/VLAN
 +
* WDS
 +
* monitor
 +
* mesh point
 +
...
 +
}}
 +
 
 +
=== Wireless client and software AP with a single Wi-Fi device ===
 +
 
 +
Creating a software AP is independent from your own network connection (Ethernet, wireless, ...). Many wireless devices even support ''simultaneous'' operation both as AP and as wireless "client" at the same time. Using that capability you can create a software AP acting as a "wireless repeater" for an existing network, using a single wireless device. The capability is listed in the following section in the output of {{ic|iw list}}:
 +
 
 +
{{hc|1=$ iw list|2=
 +
Wiphy phy1
 +
...
 +
        valid interface combinations:
 +
                * #{ managed } <= 2048, #{ AP, mesh point } <= 8, #{ P2P-client, P2P-GO } <= 1,
 +
                  total <= 2048, #channels <= 1, STA/AP BI must match
 +
...
 +
}}
 +
The constraint {{ic|1=#channels <= 1}} means that your software AP must operate on the same channel as your Wi-Fi client connection; see the {{ic|channel}} setting in {{ic|hostapd.conf}} below.
 +
 
 +
If you want to use the capability/feature, perhaps because an Ethernet connection is not available, you need to create two separate ''virtual interfaces'' for using it.
 +
Virtual interfaces for a physical device {{ic|wlan0}} can be created as follows:
 +
The ''virtual interfaces'' with unique MAC address are created for the network connection ({{ic|wlan0_sta}}) itself and for the software AP/hostapd "wireless repeater":
 +
 +
# iw dev wlan0 interface add wlan0_sta type managed addr 12:34:56:78:ab:cd 
 +
# iw dev wlan0 interface add wlan0_ap  type managed addr 12:34:56:78:ab:ce
 +
 
 +
Random MAC address can be generated using [[macchanger]].
 +
 
 +
== Configuration ==
  
 
Setting up an access point comprises two main parts:
 
Setting up an access point comprises two main parts:
* Setting up the '''wifi link layer''', so that wireless clients can associate to your computer's "software access point" and send/receive IP packets from/to your computer; this is what the hostapd package will do for you.
+
# Setting up the '''Wi-Fi link layer''', so that wireless clients can associate to your computer's ''software access point'' and exchange IP packets with it.
* Setting up the '''network configuration''' on you computer, so that your computer will properly relay IP packets from/to its own Internet connection from/to wireless clients.
+
# Setting up the '''network configuration''' on your computer, so that it properly relays IP packets between its own internet connection and the wireless clients.
  
== Wifi Link Layer ==
+
=== Wi-Fi link layer ===
  
The actual Wifi link is established via the {{Pkg|hostapd}} package. That package is compatible with WPA2.
+
The actual Wi-Fi link is established via the {{pkg|hostapd}} package, which has WPA2 support.
  
[[pacman|Install]] the {{Pkg|hostapd}} package from the [[Official Repositories|official repositories]].
+
Adjust the options in ''hostapd'' configuration file if necessary. Especially, change the {{ic|ssid}} and the {{ic|wpa_passphrase}}. See [http://wireless.kernel.org/en/users/Documentation/hostapd hostapd Linux documentation page] for more information.
  
Create the config file of hostapd {{ic|/etc/hostapd/hostapd.conf}}.
 
 
Adjust the options as necessary. Especially, change the {{ic|ssid}} and the {{ic|wpa_passphrase}}.
 
 
{{hc|/etc/hostapd/hostapd.conf|<nowiki>
 
{{hc|/etc/hostapd/hostapd.conf|<nowiki>
ssid=YourWifiName
+
interface=wlan0_ap
wpa_passphrase=Somepassphrase
 
interface=wlan0
 
 
bridge=br0
 
bridge=br0
auth_algs=3
+
 
channel=7
+
# SSID to be used in IEEE 802.11 management frames
 +
ssid=YourWiFiName
 +
# Driver interface type (hostap/wired/none/nl80211/bsd)
 
driver=nl80211
 
driver=nl80211
 +
# Country code (ISO/IEC 3166-1)
 +
country_code=US
 +
 +
# Operation mode (a = IEEE 802.11a (5 GHz), b = IEEE 802.11b (2.4 GHz)
 
hw_mode=g
 
hw_mode=g
logger_stdout=-1
+
# Channel number
logger_stdout_level=2
+
channel=7
 +
# Maximum number of stations allowed
 
max_num_sta=5
 
max_num_sta=5
 +
 +
# Bit field: bit0 = WPA, bit1 = WPA2
 +
wpa=2
 +
# Bit field: 1=wpa, 2=wep, 3=both
 +
auth_algs=1
 +
 +
# Set of accepted cipher suites
 
rsn_pairwise=CCMP
 
rsn_pairwise=CCMP
wpa=2
+
# Set of accepted key management algorithms
 
wpa_key_mgmt=WPA-PSK
 
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
+
wpa_passphrase=Somepassphrase
 +
 
 +
# hostapd event logger configuration
 +
logger_stdout=-1
 +
logger_stdout_level=2
 
</nowiki>}}
 
</nowiki>}}
 +
 +
{{Tip|You can set up the SSID with UTF-8 characters, so international characters will show properly. The option to enable it is {{ic|1=utf8_ssid=1}}. Some clients may have problems with recognizing the correct encoding (e.g. [[wpa_supplicant]] or Windows 7).}}
 +
 +
When starting hostapd, make sure the wireless [[network interface]] is brought up first, otherwise it will fail with the message "could not configure driver mode".
  
 
For automatically starting hostapd, [[Daemon|enable]] the {{ic|hostapd.service}}.
 
For automatically starting hostapd, [[Daemon|enable]] the {{ic|hostapd.service}}.
 +
{{Warning|The wireless channels allowed for access point operation differ according to geography. Depending on the wireless firmware, you may have to set the region correctly to use legal channels. '''Do not''' choose another region, as you may be illegally disturbing network traffic, affecting wireless functionality of your own device and others within its reach! To set the region see [[Wireless network configuration#Respecting the regulatory domain]].}}
  
== Network configuration ==
+
{{Note|If you have a card based on RTL8192CU chipset, install {{AUR|hostapd-rtl871xdrv}} and replace {{ic|1=driver=nl80211}} with {{ic|1=driver=rtl871xdrv}} in the {{ic|hostapd.conf}} file.}}
 +
 
 +
=== Network configuration ===
  
 
There are two basic ways for implementing this:
 
There are two basic ways for implementing this:
# '''bridge''': create a network ''bridge'' on your computer (wireless clients will appear to access the same network interface and the same subnet that's used by your computer)
+
# '''bridge''': creates a network ''bridge'' on your computer, wireless clients will appear to access the same network interface and the same subnet that's used by your computer.
# '''NAT''': with IP forwarding/masquerading and DHCP service (wireless clients will use a dedicated subnet, data from/to that subnet is NAT-ted -- similar to a normal WiFi router that's connected to your DSL or cable modem)
+
# '''NAT''': with IP forwarding/masquerading and DHCP service, wireless clients will use a dedicated subnet, data from/to that subnet is NAT-ted. This is similar to a normal Wi-Fi router which is connected to the internet.
  
The bridge approach is more simple, but it requires that any service that's needed by your wireless clients (like, DHCP) is available on your computers external interface. That means it will not work if you have a dialup connection (e.g., via PPPoE or a 3G modem) or if you're using a cable modem that will supply exactly one IP address to you via DHCP.
+
The bridge approach is simpler, but it requires that any service that is needed by the wireless clients, in particular DHCP, is available on the computer's external interface. This means it will not work if the external modem which assigns IP addresses, supplies the same one to different clients.
  
The NAT aproach is more versatile, as it clearly separates wifi clients from your computer and it's completely transparent to the outside world. It will work with any kind of network connection, and (if needed) you can introduce traffic policies using the usual iptables approach.
+
The NAT approach is more versatile, as it clearly separates Wi-Fi clients from your computer and it is completely transparent to the outside world. It will work with any kind of network connection, and (if needed) traffic policies can be introduced using the usual iptables approach.
  
Of course, it is possible to ''combine both things''. For that, studying both articles would be necessary. Example: Like having a bridge that contains both an ethernet device and the wireless device with an static ip, offering DHCP and setting NAT configured to relay the traffic to an additional network device - that can be ppp or eth.
+
It is possible to combine these two approaches: for example having a bridge that contains both an ethernet device and the wireless device with a static ip, offering DHCP and setting NAT configured to relay the traffic to an additional network device connected to the WAN.
  
=== Bridge Setup ===
+
==== Bridge setup ====
  
You need to create a network ''bridge'' and add your network interface (e.g. {{ic|eth0}}) to it. You '''should not''' add the wireless device (e.g. {{ic|wlan0}}) to the bridge; hostapd will add it on its own.  
+
You need to create a network ''bridge'' and add your network interface (e.g. {{ic|eth0}}) to it. You '''should not''' add the wireless device (e.g. {{ic|wlan0}}) to the bridge; hostapd will add it on its own.
  
If you use [[netctl]], see [[Bridge with netctl]] for details (just do not add {{ic|tap0}} used in that example).
+
See [[Network bridge]].
  
=== NAT Setup ===
+
{{Tip|You may wish to reuse an existing bridge, if you have one (e.g. used by a virtual machine).}}
  
See [[Internet Sharing]] for details.
+
==== NAT setup ====
  
On that article, the device connected to the lan is {{ic|net0}}. That device would be in this case your wireless device (e.g. {{ic|wlan0}}).
+
See [[Internet sharing#Configuration]] for configuration details.
  
== Scripts ==
+
In that article, the device connected to the LAN is {{ic|net0}}. That device would be in this case your wireless device (e.g. {{ic|wlan0}}).
  
[https://bbs.archlinux.org/viewtopic.php?pid=1269258 create_ap] script combines {{Pkg|hostapd}}, [[dnsmasq]] and [[iptables]] to create a NATed Access Point.
+
== Tools ==
 +
 
 +
=== create_ap ===
 +
 
 +
The {{pkg|create_ap}} package provides a script that can create either a bridged or a NATed access point for internet sharing. It combines ''hostapd'', [[dnsmasq]] and [[iptables]] for the good functioning of the access point. The basic syntax to create a NATed virtual network is the following:
 +
 
 +
# create_ap ''wlan0'' ''eth0'' ''MyAccessPoint'' ''MyPassPhrase''
 +
 
 +
Alternatively, the template configuration provided in {{ic|/etc/create_ap.conf}} can be adapted to ones need and the script run with:
 +
 
 +
# create_ap --config /etc/create_ap.conf
 +
 
 +
[[enable]]/[[start]] the {{ic|create_ap.service}} to run the script at boot time with the configuration specified in {{ic|/etc/create_ap.conf}} .
 +
 
 +
For more information see [https://github.com/oblique/create_ap create_ap on GitHub].
 +
 
 +
{{Note|In bridge mode, ''create_ap'' may conflict at boot time with the current network configuration. In this case, do not configure the IP address of the ethernet interface, neither DHCP nor a statip IP address, in order to facilitate the binding to the bridge.}}
 +
 
 +
=== RADIUS ===
 +
 
 +
See [https://me.m01.eu/blog/2012/05/wpa-2-enterprise-from-scratch-on-a-raspberry-pi/] for instructions to run a [http://freeradius.org/ FreeRADIUS] server for [[WPA2 Enterprise]].
  
 
== Troubleshooting ==
 
== Troubleshooting ==
Line 92: Line 171:
 
unmanaged-devices=mac:<hwaddr>
 
unmanaged-devices=mac:<hwaddr>
 
</nowiki>}}
 
</nowiki>}}
 +
 +
===Cannot start AP mode in 5Ghz band===
 +
 +
Apparently with the special country code {{ic|00}} (global), all usable frequencies in the 5Ghz band will have the [https://wireless.wiki.kernel.org/en/developers/regulatory/processing_rules#post_processing_mechanisms  {{ic|no-ir}} (''no-initiating-radiation'')] flag set, which will prevent hostapd from using them. You will need to have {{Pkg|crda}} installed and have your country code set to make frequencies allowed in your country available for hostapd.
  
 
== See also ==
 
== See also ==
  
* [http://wireless.kernel.org/RTFM-AP hostapd Linux documentation page]
 
 
* [[Router]]
 
* [[Router]]
* [http://nims11.wordpress.com/2012/04/27/hostapd-the-linux-way-to-create-virtual-wifi-access-point/ Hostapd : The Linux Way to create Virtual Wifi Access Point]
+
* [http://nims11.wordpress.com/2012/04/27/hostapd-the-linux-way-to-create-virtual-wifi-access-point/ Hostapd : The Linux Way to create Virtual Wi-Fi Access Point]
 
* [http://xyne.archlinux.ca/notes/network/dhcp_with_dns.html tutorial and script for configuring a subnet with DHCP and DNS]
 
* [http://xyne.archlinux.ca/notes/network/dhcp_with_dns.html tutorial and script for configuring a subnet with DHCP and DNS]

Latest revision as of 21:56, 8 July 2018

A software access point, also called virtual router or virtual Wi-Fi, enables a computer to turn its wireless interface into a Wi-Fi access point. It saves the trouble of getting a separate wireless router.

Requirements

Wi-Fi device must support AP mode

You need a nl80211 compatible wireless device, which supports the AP operating mode. This can be verified by running iw list command, under the Supported interface modes block there should be AP listed:

$ iw list
Wiphy phy1
...
	Supported interface modes:
		 * IBSS
		 * managed
		 * AP
		 * AP/VLAN
		 * WDS
		 * monitor
		 * mesh point
...

Wireless client and software AP with a single Wi-Fi device

Creating a software AP is independent from your own network connection (Ethernet, wireless, ...). Many wireless devices even support simultaneous operation both as AP and as wireless "client" at the same time. Using that capability you can create a software AP acting as a "wireless repeater" for an existing network, using a single wireless device. The capability is listed in the following section in the output of iw list:

$ iw list
Wiphy phy1
...
        valid interface combinations:
                 * #{ managed } <= 2048, #{ AP, mesh point } <= 8, #{ P2P-client, P2P-GO } <= 1,
                   total <= 2048, #channels <= 1, STA/AP BI must match
...

The constraint #channels <= 1 means that your software AP must operate on the same channel as your Wi-Fi client connection; see the channel setting in hostapd.conf below.

If you want to use the capability/feature, perhaps because an Ethernet connection is not available, you need to create two separate virtual interfaces for using it. Virtual interfaces for a physical device wlan0 can be created as follows: The virtual interfaces with unique MAC address are created for the network connection (wlan0_sta) itself and for the software AP/hostapd "wireless repeater":

# iw dev wlan0 interface add wlan0_sta type managed addr 12:34:56:78:ab:cd  
# iw dev wlan0 interface add wlan0_ap  type managed addr 12:34:56:78:ab:ce

Random MAC address can be generated using macchanger.

Configuration

Setting up an access point comprises two main parts:

  1. Setting up the Wi-Fi link layer, so that wireless clients can associate to your computer's software access point and exchange IP packets with it.
  2. Setting up the network configuration on your computer, so that it properly relays IP packets between its own internet connection and the wireless clients.

Wi-Fi link layer

The actual Wi-Fi link is established via the hostapd package, which has WPA2 support.

Adjust the options in hostapd configuration file if necessary. Especially, change the ssid and the wpa_passphrase. See hostapd Linux documentation page for more information.

/etc/hostapd/hostapd.conf
interface=wlan0_ap
bridge=br0

# SSID to be used in IEEE 802.11 management frames
ssid=YourWiFiName
# Driver interface type (hostap/wired/none/nl80211/bsd)
driver=nl80211
# Country code (ISO/IEC 3166-1)
country_code=US

# Operation mode (a = IEEE 802.11a (5 GHz), b = IEEE 802.11b (2.4 GHz)
hw_mode=g
# Channel number
channel=7
# Maximum number of stations allowed
max_num_sta=5

# Bit field: bit0 = WPA, bit1 = WPA2
wpa=2
# Bit field: 1=wpa, 2=wep, 3=both
auth_algs=1

# Set of accepted cipher suites
rsn_pairwise=CCMP
# Set of accepted key management algorithms
wpa_key_mgmt=WPA-PSK
wpa_passphrase=Somepassphrase

# hostapd event logger configuration
logger_stdout=-1
logger_stdout_level=2
Tip: You can set up the SSID with UTF-8 characters, so international characters will show properly. The option to enable it is utf8_ssid=1. Some clients may have problems with recognizing the correct encoding (e.g. wpa_supplicant or Windows 7).

When starting hostapd, make sure the wireless network interface is brought up first, otherwise it will fail with the message "could not configure driver mode".

For automatically starting hostapd, enable the hostapd.service.

Warning: The wireless channels allowed for access point operation differ according to geography. Depending on the wireless firmware, you may have to set the region correctly to use legal channels. Do not choose another region, as you may be illegally disturbing network traffic, affecting wireless functionality of your own device and others within its reach! To set the region see Wireless network configuration#Respecting the regulatory domain.
Note: If you have a card based on RTL8192CU chipset, install hostapd-rtl871xdrvAUR and replace driver=nl80211 with driver=rtl871xdrv in the hostapd.conf file.

Network configuration

There are two basic ways for implementing this:

  1. bridge: creates a network bridge on your computer, wireless clients will appear to access the same network interface and the same subnet that's used by your computer.
  2. NAT: with IP forwarding/masquerading and DHCP service, wireless clients will use a dedicated subnet, data from/to that subnet is NAT-ted. This is similar to a normal Wi-Fi router which is connected to the internet.

The bridge approach is simpler, but it requires that any service that is needed by the wireless clients, in particular DHCP, is available on the computer's external interface. This means it will not work if the external modem which assigns IP addresses, supplies the same one to different clients.

The NAT approach is more versatile, as it clearly separates Wi-Fi clients from your computer and it is completely transparent to the outside world. It will work with any kind of network connection, and (if needed) traffic policies can be introduced using the usual iptables approach.

It is possible to combine these two approaches: for example having a bridge that contains both an ethernet device and the wireless device with a static ip, offering DHCP and setting NAT configured to relay the traffic to an additional network device connected to the WAN.

Bridge setup

You need to create a network bridge and add your network interface (e.g. eth0) to it. You should not add the wireless device (e.g. wlan0) to the bridge; hostapd will add it on its own.

See Network bridge.

Tip: You may wish to reuse an existing bridge, if you have one (e.g. used by a virtual machine).

NAT setup

See Internet sharing#Configuration for configuration details.

In that article, the device connected to the LAN is net0. That device would be in this case your wireless device (e.g. wlan0).

Tools

create_ap

The create_ap package provides a script that can create either a bridged or a NATed access point for internet sharing. It combines hostapd, dnsmasq and iptables for the good functioning of the access point. The basic syntax to create a NATed virtual network is the following:

# create_ap wlan0 eth0 MyAccessPoint MyPassPhrase

Alternatively, the template configuration provided in /etc/create_ap.conf can be adapted to ones need and the script run with:

# create_ap --config /etc/create_ap.conf

enable/start the create_ap.service to run the script at boot time with the configuration specified in /etc/create_ap.conf .

For more information see create_ap on GitHub.

Note: In bridge mode, create_ap may conflict at boot time with the current network configuration. In this case, do not configure the IP address of the ethernet interface, neither DHCP nor a statip IP address, in order to facilitate the binding to the bridge.

RADIUS

See [1] for instructions to run a FreeRADIUS server for WPA2 Enterprise.

Troubleshooting

WLAN is very slow

This could be caused by low entropy. Consider installing haveged.

NetworkManager is interfering

hostapd may not work, if the device is managed by NetworkManager. You can mask the device:

/etc/NetworkManager/NetworkManager.conf
[keyfile]
unmanaged-devices=mac:<hwaddr>

Cannot start AP mode in 5Ghz band

Apparently with the special country code 00 (global), all usable frequencies in the 5Ghz band will have the no-ir (no-initiating-radiation) flag set, which will prevent hostapd from using them. You will need to have crda installed and have your country code set to make frequencies allowed in your country available for hostapd.

See also